home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.156
< prev
next >
Wrap
Text File
|
1995-01-03
|
12KB
|
288 lines
VIRUS-L Digest Friday, 21 Jul 1989 Volume 2 : Issue 156
Today's Topics:
New PC virus (and really bad news)
Re: CMS viruses (IBM CMS)
Re: Request for info on viruses (PC)
VIRUSCAN tested (PC)
On Brain (PC)
Re: Corporate culture shift resulting from virus mis(?)information
---------------------------------------------------------------------------
Date: Thu, 20 Jul 89 13:54:51 +0000
From: Fridrik Skulason <frisk@RHI.HI.IS>
Subject: New PC virus (and really bad news)
Subject: A virus that can bypass anti-viral programs.
I got a letter yesterday. Translated to English, it reads:
Dear Fridrik,
Thanks for the publicity you have given to our virus. To show our
gratitude, we have placed you on our distribution list. You will
from now on receive FREE copies of all our viruses.
Enclosed is an update of our first virus, that will bypass every
virus protection programs.
Expect our program for "improving" SYS-files Real Soon Now.
(signed) 4418 and 5F19
The signature is the same as the last two words in the Icelandic virus.
By "publicity" they are probably referring to the fact that I have alerted
every computer dealer in Reykjavik (all 12 of them that is) to the existence
of an Icelandic virus.
I guess the last sentence in the letter is the first vaporware announcement
by virus authors.
The bad news is that the virus will indeed bypass some anti-virus
programs. Not all of them - programs that check for file length changes
will find infected programs.
But - the virus will infect programs, even if programs like Flushoot+
(or my own programs) are installed. It probably will also bypass
all programs that just monitor interrupts.
I have not finished disassembling it, but I will send a copy of the listing
to those who received the disassembly of the first version of the Icelandic
virus.
------------------------------
Date: Thu, 20 Jul 89 11:06:24 -0400
From: Valdis Kletnieks <VALDIS@vtvm1.cc.vt.edu>
Subject: Re: CMS viruses (IBM CMS)
>2. neither MVS nor VM could be infected by 16 bytes of code in an none
>obtrusive manner... an overwriting virus possibly...!! however these
>are both large expensive mainframe SCP(system control programs) note I
>didnt include cms in this he is a user interface!! but they most
>defintely can be infected!!!!!!
First of all, I beleive it was 16 *lines* not 16 *bytes*. Even in
assembler, 16 lines will give you 64 bytes of code (assuming average
4/bytes instruction), and more if you allow macro use.
I'm unclear what you're saying - are you saying that VM and MVS are
systems that "can't be infected non-obtrusively" or that they "can be
infected"?
I have seen 5-line programs that broke VM. Once you do that, all the rest
is just pretty-printing. And the 5-line program was SO unobtrusive that
the author literally didn't KNOW for a while that he had done it.
It turned out to be a bug in HIS program accidentally exploiting a bug
in the SYSTEM.
IBM very recently (as an SPE apar to SP/4) fixed a BIG hole in the reader
file support, where a sequence of 5 user commands would break a userid.
The bottom line is that (a) you can break it (b) if you're good, nobody
will notice and (c) sometimes you don't even have to be very good...
>3. given the richness of the 2 above environments and both of them
>predate any other System control programs currently used now... no
>human intervention is necessary for an infection mechanism to
>accomplish its designed task!!!!
Well, MVS/ESA can trace itself back to 1963 and the OS/360 project.
However, CP/67 (the ancestor of VM/SP and VM/XA) dates to almost literally
the same month in 1967 as the first attempts to bring Unix up. And both
Unix and VM are newer than the venerable Multics (which is still used at a
fairly large number of sites).
And admittedly MVS and VM *can* both be broken. Otherwise IBM would not
have needed to issue 'Statements of Integrity' for them.
However, if anything, you got the point here backwards. It is mostly the
*newer*, *less mature* systems that are easily attacked and penetrated
without human intervention. Remember that MVS has literally 25 years
of people breaking into it, while the Macintosh OS has a lot less
experience in defending itself.
Yes, the older operating systems ARE generally more full-featured.
But the features are generally a LOT more robust.
>4. to acheive point 3 above... one must be what is knwown in IBM
>Parlance as a SYSPROG not just a technical support specialist... in
>other words it most likely is not going to be the local 14 year old
>sunnyvale hacker!!!(that would implement this code)
Ah yes - to break into VM without human intervention DOES require a fair
amount of true wizardry. However, you can trust that enough users will
run anything that shows up that a trojan horse like the Christmas Card
exec is effectively a virus. Yes, technically the Christmas Exec was
a trojan horse. However, that didn't stop it from taking out the
BitNet academic network and the VNET IBM internal net just as effectively
as the Morris worm did to the Internet.
Valdis Kletnieks
Computer Systems Engineer
Virginia Tech
------------------------------
Date: Thu, 20 Jul 89 12:45:51 -0700
From: voder!nsc!berlioz.nsc.com!gwang@apple.com (George Wang)
Subject: Re: Request for info on viruses (PC)
In article <0003.y8907031857.AA11952@ge.sei.cmu.edu> you write:
> We have had the same (c) Brain running around UB for some time now,
>but have managed to kill it off. We Have the source code (written in C) for
>NOBRAIN, which will remove the bad sectors, and volume. We had picked up
>the cure from another University, and put it in all of our micro sites.
Can you email me the source code to NOBRAIN? I would like to
install it on the school's University computers... We've
been having trouble with the Brain Virus and would like
to stop it.... Thanks
George
George Wang
VLSI Software Engineer
National Semiconductor
Gwang@berlioz.nsc.com
(408) 721-4365 Voice
------------------------------
Date: Thu, 20 Jul 89 13:09:08 -0700
From: huangcm@iris.ucdavis.edu (Christina M. Huang)
Subject: VIRUSCAN tested (PC)
I ran VIRUSCAN Version 0.3V27 on some virus infected programs. The
following are the ones that it positively identified:
Italian (Ping Pong)
Den Zuk
Jerusalem
Pakistani Brain
1701/1704 (Cascade)
Alameda
Lehigh
Vienna (DOS62)
April First
Icelandic
Fu Manchu
Traceback
Datacrime (1280/116B)
- -CH
------------------------------
Date: Fri, 21 Jul 89 09:18:29 -0000
From: A.SIGFUSSON@ABERDEEN.AC.UK
Subject: On Brain (PC)
I got a copy of PC VIRUS LISTING by Jim Goodwin of a virus archive and
I found that the copy of the BRAIN virus I have is different from what
he describes. The version I have is the SHOE_VIRUS which has the message
"...VIRUS_SHOE RECORD, v9.0. Dedicated to the....." and is said to be a
modified version of the Brain-B virus which can infect hard disks. I tried
recently to infect a hard disk with it when I was experimenting with the
F-PROT protection software but failed to infect the disk. I booted the
computer up on an infected floppy, several times, and the virus planted
itself in the memory and infected every floppy I inserted after that exept
those protected with F-INOC. According to J. Goodwin this version of
Brain should infect hard disks but SHOE_VIRUS v9.1 should not. I was
wondering if it was the other way around and if anyone has experience
of Brain infecting hard disks.
Thanks
Arnor Sigfusson (A.SIGFUSSON@UK.AC.ABERDEEN)
------------------------------
Date: 20 Jul 89 19:23:42 +0000
From: chinet!ignatz@att.att.com
Subject: Re: Corporate culture shift resulting from virus mis(?)information
In article <0004.y8907171856.AA19378@ge.sei.cmu.edu> DCD@CUNYVMS1.BITNET writes
:
>.... I am intrigued by what can only be called the return of MIS:
>we all know the corporate Kulturkampf that took place not so many years
>ago when microcomputers became readily available--the MIS people (in large
>corporations) kicked and screamed, but eventually their power was diluted.
>Now, I am seeing reports that their day has returned. Relatively techno-
>illiterate upper management sees reports on viruses in Time, etc., and puts
>a call in that all decisions on software must be blessed from a newly power-
>ful management structure.
>
[A few examples elided]
>
>I have no doubt that such corporate shenanigans are taking place all
>the time, and would be interested in any comments.
>
>Thanks for your time in reading this,
>
> Robert Braham
>E-mail: DCD@CUNYVMS1.BITNET
>Home: 1315 Third Ave., 4D
> New York, NY 10021
> (212) 879-1026
I trust Robert reads this group; otherwise, well, he won't see this.
I'm a consultant in the Chicago area, and have been for almost 11
years now. This means I get to encounter the MIS and computer
policies of a number of different firms, both Fortune 500 and small
ones. Most definitely, the MIS departments are attempting to
re-assert their control over computing resources, and use of the
current panic concerning possible viruses, worms, and other
infestations by crackers is one of the prime tools. Unfortunately,
these organizations often have little or no knowledge of the needs of
the long-alienated users who now must clear requests through them;
many are traditional IBM mainframe managers, who now must deal with
the bewildering plethora of packages and utilities available to the
micro- and mini-computer user. The (unfortunate) result is that
often, only a very few programs and packages are considered
'authorized', and restrictive (and usually unnecessary) controls are
placed on procurement and use.
Even worse are some organizations who have installed usually
unqualified personnel in the newly-created office of "Computer
Security." In one unnamed company, this person was a lawyer whose
qualifications were that he knew how to use Lotus 1-2-3. Period. In
these cases, it's particularly difficult to express the difference
between accepting a source copy of a public domain program, and a
binary copy--this person passed down a directive that *all* PD
software was to be scrubbed ASAP on all corporate machines. It took a
**long** training session to explain the difference in verification
capabilities, and why we really could safely review and use PD
sources.
I'm in the position to argue with, and (often) successfully educate
such organizations; but this is difficult for "real" employees, since
such directives often come from individuals who are high enough in the
hierarchy to make disagreement a somewhat risky proposition. Also,
the decision makers at this level may well not be computer literate
themselves, and have neither the time nor the desire to do so--they
want clear, concise advice from their experts, who are often those
disenfranchised MIS people. (Who are often not qualified
themselves...see above.)
This is not a happy-making situation, and I don't have a blanket
answer. I think what, perhaps, will give us all the best ammunition
to counter the rising hysteria is a clear, well-written text that is
targeted at the intelligent layman, describing exactly what the attack
vectors are, and what approaches can reasonably protect a distributed
computing environment without unnecessary stifling of creative use or
access to valuable programs.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253